Understanding Your WordPress Risk from the PHP Mailer Vulnerability

So nearly 3 weeks ago, we started hearing about the vulnerability within the PHP Mailer library that’s also used within the WordPress Core.

And everyone ran for the hills with their hair on fire (again).

Was this a critical security vulnerability? Yes.
Was WordPress susceptible? Actually, no.
So was it necessary to lose the plot and wet ourselves? No.

Anybody that pays attention to WordPress core security releases will know that when there’s a serious security vulnerability in the core, it gets patched pretty damn quick. There’s no messing around.

But isn’t it odd that WordPress didn’t get patched immediately following the announcement of this php mailer vulnerability?  Why haven’t the Core team released a security patch already?!

When something in life is weird, it’s probably not weird – you likely just don’t know all pertinent information, yet.

So it’s not odd. Why? Because, from WordPress themselves:

The Security Team has spent some time analysing this vulnerability, and how it applies to WordPress. This vulnerability does not appear to be directly exploitable in WordPress Core, or any major plugins in the plugin directory. The wp_mail() function, which WordPress Core and most plugins use for sending email, blocks this vulnerability from being exploited.

Unfortunately when a “security” expert posts on Facebook, or any where for that matter, it doesn’t mean it’s worth getting upset about. Now they may say “we’re not trying to alarm you” and other nice stuff, but unless there is a reason that goes beyond “making you aware”, it’s probably not going to help you at all.

Shield Core File Scanner Warnings

InMotion hosting decided to run around and automatically patch all php-mailer library files in their customers’ WordPress websites. Why? No research; no testing; just brute-force patching across the board. It doesn’t matter whether you’re vulnerable or not. It doesn’t matter that there’s no security/technical foundation underlying this sort of action.

This action taken several apps/vendors, caused a huge deluge of support requests asking if it’s possible to turn off the core file scanner in our Shield security plugin. Here is the support request put another way:

“There is a 3rd party repeatedly modifying a core WordPress file. It’s being flagged by a scanner designed to detect changes or deviations from the original core files (so as to flag up modifications by hackers). This scanner is clearly doing its job correctly and now I’m getting all these annoying emails warning about this. Can we stop these emails please?”

You can stop these emails in 1 of 2 ways.

  1. Turn of the scanning feature altogether
  2. Prevent the modification of your core files in the first place

Unfortunately, we will not be changing the behaviour of Shield’s core file scanner as it is working as intended.

The Conclusion?

If your WordPress Core installation was susceptible to the PHP Mailer security vulnerability released to the public nearly 3 weeks ago, you would have received an update a long time ago.

Our WordPress Core file scanner within Shield is working perfectly well – if your host or any other 3rd party software wants to “patch” your WordPress core files outside of WordPress.org itself, then you need to decide if that’s the best approach to this sort of problem.

Leave a Reply